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Amendments to the Claims: 

This listing of claims will replace all prior versions, and listings, of claims in the application: 
Listing of Claims: 

1 . (currently amended) A method for detecting hostile software in a computer 
system comprising: 

storing a representation of configuration data associated with an operating system 
for the computer system obtained at a first time, wherein the stored representation of 
configuration data is encrypted prior to being stored; 

comparing the stored representation of the configuration data obtained at the first 
time with a representation of the configuration data associated with the operating system for the 
computer system obtained at a second time, wherein the operating system is actively operating at 
the second time; and 

if deviation is detected between the stored representation of the configuration data 
obtained at the first time and the representation of the configuration data obtained at the second 
time, automatically performing at least one remedial measure in response to the deviation 
detected, wherein the operating system continues to operate after the at least one remedial 
measure is performed * wherein the at least one remedial measure comprises det ermining a 
storage location associated with suspected executable code in the computer system and m oving 
suspected executable code to a specified storage location for later evaluation. 

2. (original) The method of claim 1 wherein the configuration data relates to 
identification of executable code installed in the computer system. 

3. (original) The method of claim 1 wherein the configuration data relates to 
identification of a command line for invoking executable code associated with a particular file 
extension. 
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4. (original) The method of claim 1 wherein the configuration data is obtained 
from a registry maintained by the operating system, 

5. (original) The method of claim 4 wherein the configuration data obtained 
from at least one key associated with the registry. 

6. (original) The method of claim 1 wherein the configuration data is obtained 
from a file stored in the computer system. 

7. (canceled). 

8. (original) The method of claim 1 wherein the configuration data is compared 
to a predefined value. 

9. (original) The method of claim 1 wherein the configuration data is checked for 
addition of data. 

10. (original) The method of claim 1 wherein the configuration data is checked 
for removal of data. 

11. (canceled). 

12. (original) The method of claim 1 wherein the at least one remedial measure 
comprises determining whether suspected executable code is currently executing. 

13. (original) The method of claim 12 wherein the at least one remedial measure 
further comprises terminating execution of the suspected executable code. 

14. (original) The method of claim 13, wherein the suspected executable code 
does not receive notification prior to being terminated. 

15. (canceled). 
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16. (original) The method of claim 1 wherein the at least one remedial measure 
comprises altering configuration data associated with the operating system to reflect the stored 
representation of the configuration data. 

17. (original) The method of claim 1 wherein the operating system is a 
Windows-based operating system. , 

18. (original) The method of claim 1 wherein the operating system is a Linux- 
based operating system. 

19. (currently amended) A computer system capable of detecting hostile 
software comprising: 

a processing unit capable of being controlled by an operating system; 

a storage unit coupled to the processing unit, the storage unit capable of storing a 
representation of configuration data associated with the operating system obtained at a first time, 
wherein the stored representation of configuration data is encrypted prior to being stored; 

wherein the processing unit is capable of comparing the stored representation of 
the configuration data obtained at the first time with a representation of the configuration data 
associated with the operating system obtained at a second time, wherein the operating system is 
actively operating at the second time, and, if deviation is detected between the stored 
representation of the configuration data obtained at the first time and the representation of the 
configuration data obtained at the second time, automatically performing at least one remedial 
measure in response to the deviation detected, wherein the operating system continues to operate 
after the at least one remedial measure is performed , wherein the at least one remed ial measure 
comprises determining a storage location associated with suspected executable c ode in the 
computer system and moving suspected executable code to a specified storage location for later 
evaluation . 

20. (currently amended) A system for detecting hostile software in a computer 
system comprising: 



Page 4 of 9 



AppL No. 10/808,260 PATENT > 

Amdt. dated December 8, 2008 

Amendment under 37 CFR 1.116 Expedited Procedure 

Examining Group 2434 

means for storing a representation of configuration data associated with an 
operating system for the computer system obtained at a first time, wherein the stored 
representation of configuration data is encrypted prior to being stored; 

means for comparing the stored representation of the configuration data obtained 
at the first time with a representation of the configuration data associated with the operating 
system for the computer system obtained at a second time, wherein the operating system is 
actively operating at the second time; and 

means for automatically performing at least one remedial measure in response to 
the deviation detected, if deviation is detected between the stored representation of the 
configuration data obtained at the first time and the representation of the configuration data 
obtained at the second time, wherein the operating system continues to operate after the at least 
one remedial measure is performed , wherein the at least one remedial measure comprises 
determining a storage location associated with suspected executable code in the comp uter system 
and moving suspected executable code to a specified storage location for later evaluation , 

21. (currently amended) An article of manufacture comprising: 

a computer usable medium having computer readable program code means 

embodied therein for causing hostile software to be detected in a computer system, the computer 

readable program code means in said article of manufacture comprising: 

computer readable program code means for causing a computer to store a 

representation of configuration data associated with an operating system for the computer system 

obtained at a first time, wherein the stored representation of configuration data is encrypted prior 

to being stored; 

computer readable program code means for causing the computer to compare the 
stored representation of the configuration data obtained at the first time with a representation of 
the configuration data associated with the operating system for the computer system obtained at a 
second time, wherein the operating system is actively operating at the second time; and 

computer readable program code means for causing the computer to automatically 
perform at least one remedial measure in response to the deviation detected, if deviation is 
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detected between the stored representation of the configuration data obtained at the first time and 
the representation of the configuration data obtained at the second time, wherein the operating 
system continues to operate after the at least one remedial measure is performed , wherein the at 
least one remedial measure comprises determining a storage location associated with suspected 
executable code in the computer system and moving suspected executable code to a specified 
storage location for later evaluation . 
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